I currently have a server which has a DynDNS subdomain (let's call it foo.dyn.com). I also have a proper domain with a CNAME pointing to that subdomain (let's call it bar.baz.com). foo.dyn.com has a self-signed SSL certificate, while bar.baz.com has a proper CA-signed SSL certificate.

I've set up Apache to redirect non-ssl requests for either domain to https://bar.baz.com, which works fine.
My problem is this: I want anyone trying to access https://foo.dyn.com to get redirected to https://bar.baz.com. I've tried 2 solutions and neither get it quite right:

Have 1 VirtualHost, using the CA certificate. This obvious gives a horrible warning about domain using the wrong certificate when someone tries to access https://foo.dyn.com.

Have 2 VirtualHosts, one for foo.dyn.com with the self-signed certificate and one for bar.baz.com using the proper certificate. The foo.dyn.com has a redirect clause that redirects all traffic to https://bar.baz.com, which works except that you still the the self-signed certificate warning. Also, some non-web browser HTTP clients (like wget) get foo.dyn.com's certificate when pointed at bar.baz.com

2 Answers
2

This is a problem in the protocol stack. You can only have one SSL certificate per IP per Port.

The reason is the following:
The VirtualHost system of apache and alike is based on the HTTP Host Header. However, this header is sent after the SSL connection is established (as all headers are sent after establishing the SSL connection, otherwise it would be a bit of useless).

So, the only means the server has to choose a certificate are based on the interface or IP the connection is incoming on and the port.

A solution for the warning would be though to add your second domain as SubjectAltName to the certificate.